[Samba] Permission denied on GPT.ini (Event ID 1058)

Sébastien Le Ray sebastien-samba at orniz.org
Mon Mar 21 15:32:21 UTC 2016


I did the same, checking "replace child folders permission" and set 
inheritance back (ntacl sysvolreset does not seem to do much things), no 

In events viewer, right before the GPO failure I have a Kerberos 
warning: "The number of maximum ticket referrals has been exceeded 

Le 21/03/2016 15:53, L.P.H. van Belle a écrit :
> Hai,
> Today i had a "about" same problem.
> Check the following.
> 1) Get the Policy id  ( like ":  {78732DBF-5381-497B-9B25-00A278270A1F} from
> 2) run getfacl on the folder like :
>   getfacl \{78751DBF-5381-497B-9B25-00A278270A1F\}/
> here  in my case i noticed the following.
> I had a user set on one specific policie, i changed that users to a newly created group.
> After looking with getfacl i noticed, that the user was still on GPT.INI
> and not the group.
> Reculting in the Permission denied on GPT.ini.
> For now i fixed it by getting setting the inheritance of the folder to the files again.
> Resume what i think and others must test also.
> When creating the policy for the first time it sets the correct U+G rights.
> After changing this, not.
> Other quick fix is, add the computer($) to the group.
> I hope people know what i mean, if not, ask me.
> Greetz,
> Louis
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le Ray
>> Verzonden: maandag 21 maart 2016 10:45
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
>> Le 20/03/2016 17:03, Klaus Hartnegg a écrit :
>>>> Am 19.03.2016 um 08:16 schrieb Sébastien Le Ray <sebastien-
>> samba at orniz.org>:
>>>> Yes but in that case I'm not using the machine account anymore but the
>> currently logged in user account. That's why I guess it is related to some
>> machine account configuration issue but I can find no way to test machine
>> account access?
>>> psexec -i -s cmd.exe
>>> must be run as admin
>>> will open a new window
>>> try there:
>>> echo %username%
>>> looks like machine account
>> Hi,
>> This gives me the machine account name which I already know.
>> BUT I used pushd \\path\to\sysvol in the spawned cmd.exe and I
>> successfully mounted the supposedly unreadable share (tries all 5 DCs)
>> and type'd the GPT.ini
>> If someone has any further investigation track, I'll take it
>> Regards
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list